Bug#454529: two more CVEs
konqueror at gmx.de
Wed Dec 19 13:34:15 UTC 2007
On Wed, Dec 05, 2007 at 11:45:41PM +0100, Steffen Joeris wrote:
> There have been two more CVEs for jetty:
> Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty
> before 6.1.6rc1 allows remote attackers to inject arbitrary web script or
> HTML via unspecified parameters and cookies.
> Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote
> sequences" in HTML cookie parameters, which allows remote attackers to hijack
> browser sessions via unspecified vectors.
I have spoken with upstream about these three issues and they are
working on a solution for Jetty 5.1 for this. For Jetty 6 (which is not
yet in Debian) the issue was easy to fix due to its design. Jetty 5.1
needs some major work.
More information about the pkg-java-maintainers